Re: OpenVPN Server fails on TLS-Handshake after reboot (2.2.6) (SOLVED)
-
Hi all,
I've found that after a system reboot, my openvpn connection fails on TLS-Handshake, even though it worked prior to rebooting and the certificates on the client haven't been changed.
Is this an issue that anyone else has come across?
-
No, have not.. How about posting the log.. From your client and the server for this connection.
-
Thanks for reply, I've had all sorts of unusual issues since upgrading to 2.2.6, so just in the middle of doing re-install.
Will post logs if this issue isn't resolved on clean install. But from memory, client just keeps retrying (due to infinite retry in config) and server log shows generic TLS-Handshake error.
If checked all of my certs on both server and client and nothing is altered by reboot as far is I can see…
-
An no such issues here.. So your saying it worked, then you rebooted and failed - and then you rebooted and it started working again… Or just that it was working and now stopped?
-
Just worked and then stopped completely after rebooting… even multiple reboots didn't change anything.
I'm at work at the moment, but will do full reinstall from scratch when I get in and try again. Going to make sure that both client and server are using same time server as well when I start again.
Will update later.
-
Built the system from scratch and just recieve the same error as before after a reboot. These are from the openvpn log files (server side):
Jan 11 20:10:37 openvpn[10570]: OpenVPN 2.3.8 amd64-portbld-freebsd10.1 [SSL (OpenSSL)] [LZO] [MH] [IPv6] built on Aug 21 2015
Jan 11 20:10:37 openvpn[10570]: library versions: OpenSSL 1.0.1l-freebsd 15 Jan 2015, LZO 2.09
Jan 11 20:10:37 openvpn[11067]: Could not retrieve default gateway from route socket:: No such process (errno=3)
Jan 11 20:10:37 openvpn[11067]: NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
Jan 11 20:10:37 openvpn[11067]: Control Channel Authentication: using '/var/etc/openvpn/server1.tls-auth' as a OpenVPN static key file
Jan 11 20:10:37 openvpn[11067]: Could not retrieve default gateway from route socket:: No such process (errno=3)
Jan 11 20:10:37 openvpn[11067]: TUN/TAP device ovpns1 exists previously, keep at program end
Jan 11 20:10:37 openvpn[11067]: TUN/TAP device /dev/tun1 opened
Jan 11 20:10:37 openvpn[11067]: ioctl(TUNSIFMODE): Device busy: Device busy (errno=16)
Jan 11 20:10:37 openvpn[11067]: do_ifconfig, tt->ipv6=1, tt->did_ifconfig_ipv6_setup=0
Jan 11 20:10:37 openvpn[11067]: /sbin/ifconfig ovpns1 172.16.7.1 172.16.7.2 mtu 1500 netmask 255.255.255.255 up
Jan 11 20:10:37 openvpn[11067]: /usr/local/sbin/ovpn-linkup ovpns1 1500 1570 172.16.7.1 172.16.7.2 init
Jan 11 20:10:37 openvpn[11067]: UDPv4 link local (bound): [undef]
Jan 11 20:10:37 openvpn[11067]: UDPv4 link remote: [undef]
Jan 11 20:10:37 openvpn[11067]: Initialization Sequence Completed
Jan 11 20:43:51 openvpn[11067]: 172.16.3.17:46337 TLS Error: TLS handshake failedThe client just shows:
TLS Error: TLS key negotiation failed to occur in 60 seconds.
On top of that, apinger still fails to start on boot and I think it may be because of the DynDNS service that is running…
Not having all that much luck with this at the moment.
-
Not sure what helped, but changed a single line in the server config file…
After local was my IP address, but changed this to my dyndns host name.
Also added my modem on a virtual interface as a static IP and now everything works, even after reboots! :-D
-
"Could not retrieve default gateway from route socket:: No such process (errno=3)"
Why would you be changing lines in the conf file directly?? Just use the gui/wizard!
And you sure and the hell do not need to add modem?? As a VIP? Sounds like your setup is borked from the start.. And your issue is more with connectivity than openvpn.
-
It now works flawlessly… No errors in any of the logs... plus no issues after reboots.
Plus even though I used the GUI, it would only add my IP address to the config file and not the dyndns name. Seeing as I'm on a dynamic IP package here, I don't have much choice in the issue.
I don't know why adding the modem helped, as its my pfSense box handling PPPoE and not the modem. Modem is only handling the ADSL connection with no credentials.